IBM Zone Trusted Information Channel (ZTIC)

A banking server's display on your key chain

More
and more attacks to online banking applications target the user's home PC,
changing what is displayed to the user, while logging and altering key strokes.
Therefore, third parties such as MELANI conclude
that "Two-factor authentication systems [...] do not afford protection
against such attacks and must be viewed as insecure once the computer of the
customer has been infected with malware".

In a widely published real-world example of the Trojan "Silent banker", Symantec states
that "The ability of this Trojan to perform man-in-the-middle attacks
on valid transactions is what is most worrying. The Trojan can intercept transactions
that require two-factor authentication. It can then silently change the user-entered
destination bank account details to the attacker's account details instead."

In order to foil these threats, IBM has introduced the Zone Trusted Information
Channel (ZTIC), a hardware device that can counter these attacks in an easy-to-use
way. The ZTIC is a USB-attached device containing a display and minimal I/O
capabilities that runs the full TLS/SSL protocol, thus entirely bypassing the
PC's software for all security functionality.

The ZTIC achieves this by registering itself as a USB Mass Storage Device
(thus requiring no driver installation) and starting a "pass-through" proxy
configured to connect with pre-configured (banking) Websites. After starting
the ZTIC proxy, the user opens a Web browser to establish a connection with
the bank's Website via the ZTIC. From that moment on, all data transmitted
between browser and server pass through the ZTIC; the SSL session is protected
by keys maintained only on the ZTIC and, hence, is inaccessible to malware
on the PC (see usage and technical
operation animations, which illustrate how the ZTIC works).

In addition, all critical transaction information, such as target account
numbers, is automatically detected in the data stream between browser and ZTIC.
This critical information is then displayed on the ZTIC for explicit user confirmation:
Only after pressing the "OK" button does the TLS/SSL connection continue.
If any malware on the PC has inserted incorrect transaction data into the browser,
it can be easily detected by the user at this moment.

Comparison

Various alternatives exist for protecting users against state-of-the-art attacks to online authentication, such as chip card technology or special browser software. The core difference between the ZTIC and these alternatives is that the ZTIC does not rely whatsoever on any software running on the PC, such as device drivers or user interface elements (e.g., any screen elements), as these can be subverted, e.g., painted over, by attackers' malware.

Another feasible solution to this problem is to use the user's mobile phone/SMS as a channel to convey transaction confirmation details between server and user ("mTAN"). Until mobile phone malware appears similarly often as on home computers, such solutions are comparable to the ZTIC with regard to the degree of security they provide. Hence, at this time, the primary differences between ZTIC and mTAN solutions are economic in nature (each and every mTan incurs the cost of an SMS, whereas the ZTIC, once it has been issued, does not incur any further incremental costs per transaction), privacy-related (banking transaction information sent over GSM networks) and in the area of usability (the user has to manually copy mTANs from the phone into the browser). Only completely disconnected card readers with their own user input/output capabilities (e.g., PINpad and display) provide a similar level of security as ZTIC, albeit at the cost of more user involvement at every transaction, i.e., a degradation of convenience.

Background information

This website is intended only to provide a high-level introduction to the
concept of the ZTIC. For more details, the reader is referred to either of
the two publications below. In addition, we are happy to answer any pertinent
emails sent to ztic@zurich.ibm.com.